I don't think we have seen any alternative proposals for putting the
policy *enforcement* on the server. It also seems very hard to me to
rely on the server enforcing the policy, while still protecting legacy
servers, since they currently do not perform any such enforcement.
What I have seen suggestions for though is a simpler policy language
that doesn't send a full white-list to the client, but rather just a
yes/no decision to the client.
/ Jonas